CVE-2026-45348 pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to...

CVE-2026-45348

CVE-2026-45348 affects pyLoad before version 0.5.0b3.dev100, where an unsanitized link URL interpolated in a template literal within packages.js allows stored XSS in the Downloads view. Attack surface: authenticated operators can submit a package link that injects HTML/JS, which gets rendered via...

WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

CVE-2026-27508

Smoothwall Express versions prior to 3.1 Update 13 contain a reflected cross-site scripting vulnerability in the /redirect.cgi endpoint due to improper sanitation of the url parameter. Attackers can craft malicious URLs with javascript: schemes that execute arbitrary JavaScript in victims' browse...

CVE-2026-31876 Notesnook has Stored XSS via unsanitized Twitter/X embed URL in editor (`tweetToEmbed`)

Notesnook is a note-taking app focused on user privacy & ease of use. Prior to 3.3.9, a Stored Cross-Site Scripting XSS vulnerability existed in Notesnook's editor embed component when rendering Twitter/X embed URLs. The tweetToEmbed function in component.tsx interpolated the user-supplied URL...

CVE-2026-1441

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1438

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1439 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2026-1438 Reflected Cross-Site Scripting (XSS) vulnerability in Graylog Web Interface

Reflected Cross-Site Scripting XSS vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker ...

CVE-2022-23397

The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no...

CVE-2019-16989

In FusionPBX up to v4.5.7, the file app\conferencesactive\conferenceinteractive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS...

GHSA-27M7-FFHQ-JQRM MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL

Summary The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host...

CVE-2025-40545

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

CVE-2025-40545 SolarWinds Observability Self-Hosted Open Redirection Vulnerability

SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required...

Cross Site Scripting (XSS)

@meshconnect/web-link-sdk is vulnerable to cross-site scripting XSS. The vulnerability is due to the lack of sanitization of URL protocols in the createLink.openLink function, which allows an attacker to execute arbitrary JavaScript code in the parent page context and access its DOM, storage,...

EUVD-2019-7467

Malware in sbrugna...

EUVD-2019-7452

Malware in sbrugna...

EUVD-2006-0776

Malware in sbrugna...

EUVD-2022-1753

Malicious code in bioql PyPI...

CVE-2025-59430

Mesh Connect JS SDK contains JS libraries for integrating with Mesh Connect. Prior to version 3.3.2, the lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. This is technically...